Symantec VIP two factor auth

I just set up Symantec VIP two-factor authentication for my bank account, to replace an old VeriSign hardware token. Symantec VIP is a mobile phone app, they also sell a hardware token.

The basic security model is similar to the VeriSign token or TOTP as implemented by Google Authenticator. I type my password to log in, then am prompted to type a six digit second code from the Symantec VIP app. The code generated is valid for 30 seconds. I’m not positive it’s time-based; every time I generate a new token, it shows being valid for a full 30 seconds.

The Symantec VIP app has a very simple model of user identity. The first time I ran the app on my phone it assigned me a “Credential ID”. I then supply that to every single site that I want to use it for 2FA. That’s different from the Google Authenticator model where you scan a QR code to set up a new site. Not sure how Symantec supports having multiple identities or changing your ID. There is an option to scan a QR code, so maybe there’s a second identity model.

There’s no backup of the token; if I lose the phone or something I have to go back to my bank to set up access again, out of band.

Another slight weirdness; my bank says it will take 48 hours to enable the token. No explanation why it’d take that long. In the meantime they gave me a temporary 6 digit code that will work many times as my 2FA code. That’s not ideal but probably harmless, at least in this application.

Symantec VIP is more complex than I’ve seen. There’s a whole VIP Manager product for enterprise management, maybe that provides more flexibility and control for advanced users.

As an end user I prefer Google Authenticator, mostly because I’ve got it set up for several sites already. But Symantec VIP seems OK too. No idea how their backend integration tools compare. TOTP sounds awfully simple to deploy.

Update: one problem with the basic Symantec VIP model; my bank is relying on Symantec to keep the secret safe. They didn’t generate a new secret for me to share with them, they’re using whatever is baked into my default Symantec ID. That may be appropriate for many businesses that want to outsource security, but it’s a form of risk.

Python metaprogramming

This Reddit discussion had me looking at a couple of metaprogramming tricks used in Python code.

The standard library’s namedtuple type is generated on the fly at runtime. When a new namedtuple is created the library generates it from a template string. It fills out the template with the necessary details and then passes the class definition to exec(). Exciting! But relatively straightforward and easy to understand. (Except for that extra bit to support pickling; yuck.)

pytest is an alternative unit testing library that has you just using the assert statement everywhere, no library functions. To report test failures in a nice way, it does some dark magic:

Reporting details about a failing assertion is achieved by rewriting assert statements before they are run. … pytest rewrites test modules on import by using an import hook to write new pyc files

I haven’t read the pytest code but from the way that’s written my impression is they’re inspecting compiled bytecode and rewriting the assert statements to instrument them. That sounds a little scary, in particular if it fails it must be completely confusing. They do warn you that “if you are messing with import yourself, the import hook may interfere”. Update here’s a description of the code rewriting as of 2011.

That second technique reminds me a bit of the way that Protovis rewrote Javascript at load time so you could use more modern Javascript syntax than the browser supported. Mike abandoned that idea in D3, I think because it made things too complicated.

 

Some ssh tricks

I’m making some ad-hoc solution for monitoring a security camera after my bad experience with Foscam. Here’s some ssh tricks I had to do to make it work.

Restricting ssh to rsync. A way to set up a passwordless SSH key for rsync that’s not a total security hole. I did something similar myself for backups awhile back.

Chaining ssh tunnels. I need to create an ssh tunnel to a second host, and from there to a third host. Tunnels more or less chain like you’d expect but you need to add the -t flag to ssh to get it to create a tty for some reason. The -A flag is handy too, of course.

 

Foscam R2 is garbage

I got a Foscam R2, a cheap and capable Internet camera for home security. But the software is so bad and insecure I’m returning it. A camera in my house has a high bar for security. I do not want video from my house leaking on the Internet. Foscam is designed around a cloud service, so the bar is very high indeed. Given how bad my first 30 minutes were I’m returning the thing.

Summary:

  • I can’t upgrade the firmware
  • I can’t connect to the IP interface at all
  • The website requires a native code plugin to run
  • They don’t quote user input correctly

Security problems

The biggest problem is utter contempt for basic security. Some examples:

The camera configuration won’t accept my wifi password because it has a space in it. Foscam support has an alarming list of characters you can’t use, including & and =. This suggests they aren’t properly quoting user input. (The linked discussion confirms that.)

The camera’s local IP interface is HTTPS only. Nice! Only there’s no valid SSL certificate since there’s no meaningful hostname. After telling my browser to ignore the warning I can get a login page and a tip briefly pops up “Don’t support using HTTPS to login chrome”. Logging in with Chrome does not work. Neither does Edge. I can maybe log in with IE10, but all I get is a popup saying I have to install a .exe plugin first to use the camera. No thank you.

There’s several separate websites: foscam.us, foscam.com, and myfoscam.com. I’m not positive but I think the .us site is an American reseller? They have an alarming security note

In early June Foscam Digital had been notified of 18 security vulnerabilities that existed on cameras manufactured by Shenzhen Foscam …  Foscam Shenzhen initially did not address the vulnerabilities for several months … . However, on June 14th, shortly after the vulnerabilities were communicated directly to end-users by Foscam Digital in order to pressure Foscam Shenzhen to take action, Foscam Shenzhen released a firmware update response available here

Usability problems

I can’t upgrade the firmware. The mobile app has a firmware upgrade option and does seem to upgrade the camera to 1.11.1.6. But then there’s a second upgrade to 2.x.1.18 (yes, the x is part of the version number) that does not work via the mobile app. There’s instructions for upgrading via the web interface but since I can’t log in, I can’t do that.

 

The English translation is terrible. The very first text you see in the mobile app you have to use to configure the camera is “Has the account?Sign up”. There are translation errors all over the product. I’m usually the last person to criticize someone who speaks imperfect English as a second language. But this sure makes for a bad impression.

The website for the Foscam cloud service works for about 30 seconds, then pops up a dialog that says “Foscam web component has beed upgraded” (sic). The popup is modal with a “Click to download” button that says “Please click me to install plugin(Now we don’t support IE(64))”. It downloads a .exe that I wouldn’t dream of running.

 

I can’t find their MAC address prefix 00:62:6e in the OUI database. That might not mean anything. Or it might mean they’re cutting some important corners with their ethernet chipset.

 

 

Twitter Python clients by release date

I want to write a program using the long-suffering Twitter API. There’s a zillion Python options, here’s what I found. I used the most recent PyPI release date as my primary criteria, because I want something actively maintained.

Of course release age isn’t everything. All four libraries linked above have similar APIs for doing simple things. I believe all four now support the streaming API too. On a quick glance tweepy and python-twitter have the most reassuring test suites.

I picked tweepy to start with because it has the most recent recommendations on /r/python. Also there’s still activity on GitHub, even if no recent releases. So far so good.

Windows sshfs clients

I want to access a remote machine’s Unix filesystem via ssh, the way you’d do with sshfs and FUSE in Unix. There’s a lot of options for it.

  • SFTPNetDrive, what I’m using now. Works simply out of the box. Free for personal use, $100 for commercial use.
    Seems fine, Y: is now my remote disk. Has some reasonable customization options but nothing overwhelming. There’s an option to mount the disk as “Network, Removable, or Fixed”. I was hoping that could fake out WSL so that I could see the remote disk in the Ubuntu-on-Windows subsystem (which now supports removable disks). No such luck.
  • NetDrive, the big daddy commercial system. This provides interfaces for a whole bunch of cloud storage options: S3, OneDrive, etc. 30 day eval, then you pay $50
  • ExpanDrive, another multi-service commercial option. $50
  • sshfs-win using WinFSP. Open source FUSE-like solution. Looks promising.
  • win-sshfs, a fork of an older project (keyword: Dokan). No commits for 9 months, but does have Windows 10 support so it’s not totally dead.

 

Canon MX850 and Windows 10

tl;dr: reinstall the Windows 8.1 driver to get the scanner working.

I have a Canon MX850 I bought 8 years ago. It’s one of those cheap multifunction inkjet printer/scanner/fax things, the ones that cost $20 but each ink refill costs a small part of your immortal soul. The printer has been pretty reliable, but the scanner keeps failing. I’m not certain but my guess is that Canon’s network scanner driver isn’t smart enough to follow the scanner through IP address changes from DHCP. But the printer keeps working, huh.

Anyway, the simple fix is to download and reinstall Canon’s driver. No need to uninstall first. Windows 10 is not supported by Canon, but the 8.1 (x64) driver seems to work fine. At least scanning does, via Windows Fax and Scan. Haven’t tried the fax side.